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(§) Method and apparatus for graphically analyzing a log-file. 



@ An apparatus (101) and technique Interac- 
tively analyze system log-files. System log-files, 
which are monitored by technical personnel 
and systems specialists to 1 determine system 
performance, status, and software faults, are 
often generated during various hardware and 
software monitoring operations. Each log-file 
(120) contains time stamped reports. This tech- 
nique is especially useful for analyzing large 
log-files. A new release of software may contain 
many incremental versions that must be tested. 
The testing of each incremental version may 
generate a log-file containing thousands of re- 
ports. Using this apparatus (101) and technique, 
reports are correlated, faults are Isolated, and 
temporal patterns are recognized more quickly 
and efficiently than by using conventional, 
non-graphical techniques. 
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Technical Field 

The invention concerns graphical displays in sys- 
tems having one or more processors, such as distrib- 
uted systems, in general and graphical displays of re- 
ports of system log files in particular. 

Background of the Invention 

Many systems generate log-files as part of their 
normal operation. Such files typically contain reports 
on system performance, system status, and software 
faults. These reports are often free-format text Each 
report is individually time-stamped indicating when it 
was created. By examining a log file, system opera- 
tors may detect and correct system and software 
problems before such problems can affect system op- 
eration. 

A common trait of log-fifes is that many unimpor- 
tant reports are created along with the important re- 
ports. These "noise" reports clutter-up the log-file 
and obscure the important reports. For example, a 
log-file created during a 1 5 hour test of a new release 
of a software program including many incremental 
versions may contain 55,000 reports comprising 
100,000 tines of text which is equivalent to 1600 pa- 
ges. But only hundreds of those reports may actually 
be significant The "noise" reports in the log-file may 
obscure one or more of the important reports and 
cause it to be overlooked by the operator. 

It is an object of the present invention to provide 
an apparatus for graphically analyzing log files. 

It is another object of the invention to provide an 
apparatus for graphically displaying log files to en- 
able an analyst to find the important reports within the 
log file. 

It is another object of the invention to provide an 
apparatus that displays reports of a log file according 
to class and time of occurrence in order to allow the 
user to see the circumstances of each report 

It is another object of the invention to provide an 
apparatus that displays reports of a log file according 
to class and time of occurrence and allows the oper- 
ator to interactively browse the reports to analyze the 
cause of the report 

Summary of the Invention 

Briefly stated In accordance with one aspect of 
the invention the aforementioned objects are ach- 
ieved by providing an apparatus and method for 
showing a plurality of time-stamped, messages that 
have a set of characteristics. The apparatus includes 
a plurality of symbols, with each symbol correspond- 
ing to one of the messages. Each symbol has an ap- 
pearance that varies according to a characteristic of 
the message it corresponds to and a position that is 
determined by a time of the message and a charac- 
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teristic of the message. 

Brief Description of the Drawing 

5 While the specification concludes with the ap- 
pended claims particularly pointing out and distinctly 
claiming the subject matter which is regarded as the 
Invention, It is believed that the invention will be better 
understood from the following description taken in 
10 conjunction with the accompanying figures in which: 

Fig. 1 is a block diagram of an example log file 
analysis system. 

Fig. 2 Is a pictorial view of a typical visual display 
as seen by an operator of the log file analysis system 
15 in a preferred embodiment 

Fig. 3 is a pictorial view similar to Fig. 2 but with 
finer gradations of time. 

Fig. 4 is a pictorial view similar to Fig. 3 wherein 
only the reports of selected characteristics of the sys- 
20 tern under test are shown. 

Fig. 5 is a pictorial view similar to Fig. 3 wherein 
only reports related to system database integrity 
checkers and correctors according to problem count 
are shown. 

25 Fig. 6 Is a pictorial view similar to Fig. 3 wherein 
only reports related to system database integrity 
checkers and correctors according to problem code 
are shown. 

Fig. 7 is the same as Fig. 6 with a selector window 
30 overlaying part of the display. 

Fig. 8 is the same as Fig. 7 with a browser window 
overlaying part of the display. 

Fig. 9 is a detail of a processed log-file in mem- 
ory. 

35 Fig. 10 is a detail of data structures in memory. 

Fig. 11 is a detail of a relation in memory. 

Fig. 12 is a detail of global poo! of attribute names 
in memory. 

Fig. 13 is a detail of tuples in memory. 
40 Fig. 14 is a detail of a selector in memory. 

Fig. 15 is an overview of a process that produces 
a display according to the invention. 

. Fig. 16 is a detail of a procedure that produces re- 
lations. 

45 Fig. 17 is a detail of a procedure that processes 
tuples. 

Fig. 18 is a detail of a procedure that produces a 
display according to the Invention. 

Fig. 19 is a detail of a procedure that produces a 
so plot for a chart. 

Fig. 20 is a detail of a procedure that produces 
bars for a chart 

Fig. 21 Is a detail of a procedure that produces 
time-bars. 

55 Fig. 22 Is a detail of a read log-file procedure. 
Fig. 23 is a detail of a color log-file procedure. 
Fig. 24 is a detail of a procedure that pick- 
correlates symbols, and 
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Fig. 25 is a detail of a procedure that plots tuples 
on the screen. 

Detailed Description 

5 

Referring now to Fig. 1 , a block diagram of an ex- 
ample tog file analysis system 1 01 is shown. The sys- 
tem 101 includes terminal 103, which provides output 
to and receives input from the system operator, proc- 
essor 113, which performs the actual analysis oper- 10 
ations, memory system 115, which contains pro- 
grams 117 executed by processor 113 and relations 
119, - 119, each of which contains a respective set of 
tuples. The system 101 also has a mass storage sys- 
tem 120 for storing a log-file in its unprocessed state, is 
i.e. the group of time stamped messages as it was 
created. 

In more detail, terminal 103 includes a display 
screen 105, upon which processor 113 displays infor- 
mation for the operator. Display screen 105 also in- 20 
eludes pointer 107, which specifies a location in dis- 
play 105 and may be moved under control of either 
keyboard 109 or mouse 111. The operator controls 
the operation of system 101 by inputs from keyboard 
109 and/or mouse 111. Processor 113 may be any 28 
kind of processor, from a personal computer through 
a workstation or even a supercomputer. Memory sys- 
tem 115, finally, includes any data accessible to sys- 
tem 101 , and may thus include random-access mem- 
ory or read-only memory. Connected to memory sys- 30 
tern 1 1 5 is mass storage system 1 20 which reads data 
into memory system 115 to make such data more ac- 
, cessible or stores such as data for the long term. 
Mass storage system 120 may include magnetic disk 
or optical disk 35 

When employing system 101 to analyze Informa- 
tion in a log file, the operator may use keyboard 109 
or mouse 111 as input devices. Processor 113 exe- 
cutes programs 117 as required to perform the ana- 
lysis on the relations 119 1 - 119, displays the results 40 
on display screen 105. The operator can then use 
keyboard 109 and/or mouse 111 to interactively ex- 
amine the results in more detail. 

The preferred embodiment of system 101 runs 
under the UNIX® operating system (UNIX is a regis- 45 
tered trademark of UNIX Systems Laboratories) us- 
ing a workstation with the X Window System. 

Referring now to Fig. 2, a display 201 is shown on 
display screen 105. This display 201 is of a log file 
generated during a 15 hour test on a 5ESS distributed so 
system (5ESS is a registered trademark of AT&T) dur- 
ing development. The log-file contains over 55,000 
reports comprising 100,000 lines of text The display 
201 shows four classes of reports: asserts, i.e. detec- 
tion of a software/data inconsistency; audits, I.e. sys- 55 
tern database-integrity checkers and correctors; op- 
erations-and-maintenance reports, i.e. hardware 
component removal, diagnostic, restoration and proc- 



ess-purges; and trunk-error reports during communi- 
cation set-ups. 

The first step in making the display 201 of the log- 
file easier to analyze is the selection of only the "in- 
teresting" reports. In this context, "interesting" means 
those reports that signify either service-affecting or 
potentially service affecting events and software 
faults. The "noise" reports from the log-file are fil- 
tered out by simply not selecting them for processing 
or display. For the log-file considered, many of the re- 
ports are due to foilow-up reports such as stack- 
frame, stack-trace, and register dumps. For analysis 
purposes, not only do these "noise" reports not con- 
tribute to the discovery of patterns and correlations 
by the system operator, but they tend to obscure 
those reports that do so contribute. 

The second step in making the display 201 of the 
log-file easier to analyze is the exploitation of its tem- 
poral variations. In other words, use the time-stamp 
of each report as one coordinate for its placement on 
the display 201. Previous text based analysis techni- 
ques, such as those using visual text editors, ob- 
scured the inherent nature of time-stamped log-files 
because the spatial separation of Interesting reports, 
i.e. the number of lines separating them, encountered 
while using the text editor has little relation to the per- 
iod of time required to generate those lines. For ex- 
ample, one five-minute period of a log-file could be 
represented by reports having a few hundred lines, 
while another five minute period could be represented 
by reports having a few thousand lines. 

The visualization technique of display 201 ac- 
cording to the present invention has angled tick- 
marks arranged in a grid. As an example, tick-mark 
202 indicates the occurrence of a report regarding as- 
serts 21101 in vertical axis 204. Tick-mark 202 is cod- 
ed both by its inclination and color, as will be ex- 
plained below. Along a vertical axis 204 of the grid, re- 
ports are broken down by class and type into bands 
206, 208, 210 and 212 and rows, respectively. Each 
band 206-212 is made up of a distinct class of reports. 
Band 206 is made up of the rows of assert reports, 
band 208 is made up of the rows of audit reports, 
band 210 is made up of the operation and mainte- 
nance report rows and band 212 is made up of the 
trunk error report rows. Within a given class, each row 
is made up of a reports of a single type. A type-name 
is printed on the left side of each row in vertical axis 
204 and the total number of occurrences is shown on 
the right side of the display in the form of a bar-chart 
at the end of its corresponding row. The bar charts 
are scalable by slider 226 and the longest bar that is 
truncated by the scale appears In light gray. Display 
201 can fit approximately 70 rows on display screen 
105 simultaneously, this includes type-named rows 
and rows used for divider lines between bands. The 
horizontal axis 220 represents time. Time increases 
to the right of the display 201 . Occurrences of a report 
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of a given type are marked by drawing tick-marks 
along the row corresponding to that type at horizontal 
positions that corresponds to the respective times of 
the occurrences as indicated by their time stamps. 
The total number of occurrences of all report types s 
per unit-time is shown on the bottom of the display in 
the form of a stacked histogram extending from a sec- 
ond horizontal axis 221, which also represents time. 
A slider 228 adjusts the scale of the histograms also. 

A relational data mode! is used for the displayed to 
data of display 201 . Each of the classes of bands 206- 
212 corresponds to a single relation 11^ - 119, 
(shown in Fig. 1). the unique values for the primary at- 
tribute of a relation correspond to the various types 
within a class. On the left side of the display 201 , is 
there Is an interactive color scale 224. Interactive col- 
or scale 224 is used to color-code report occurrences 
by the values of secondary attributes 226 of all the re- 
lations 119i - 119, . A set of secondary attributes 226 
includes equipment, error count, error code, event, 20 
signaling set of secondary attributes 226 includes 
type, processor identification, and trunk group type, 
as abbreviated in the lower-left corner of the display 
201. The differences in gray scale shading in Fig. 2 
represents the color coding of the reports according 25 
to their respective processor module, AM (unlabeled 
in Fig. 2), SM21, SM23, SM25, SM47 and SM46, as- 
sociated with the report. The color coding of the re- 
ports is: light blue for SM21. dark green for SM23, 
light green for SM25, yellow for SM47 and red for 30 
SM48. In addition to using color to encode the a char- 
acteristic with tick marks for the occurrence of re- 
ports, the inclinations of the tick-marks are also used 
to encode a possibly different characteristic. Use of 
color and inclination is complementary. If there are 35 
many values, colors of adjacent hues can be too close 
for the operator to distinguish. Encoding the display 
201 such that both color and inclination encode an in- 
dividual attribute makes adjacent values, although 
close in color, different in angle thus allowing the op- ao 
era tor to distinguish between them. Display 201 uses 
a pre-defined set of six inclination angles that are suf- 
ficiently different to allow the operator to distinguish 
between them. If more than sue attributes must be en- 
coded, the same Inclination may be reused because 45 
by the time the inclination coding "wraps-around," the 
color coding has progressed to a sufficiently different 
hue to facilitate differentiation. 

The stacked histograms projecting from horizon- 
tal axis 221 are also color coded in order to indicate so 
which attributes correspond to the reports generated 
in the time period of the histogram. This is represent- 
ed by the differences in gray scale shading of the 
stacked histograms. Thus, by looking at the stacked 
histograms of display 201 an operator could see that 55 
the performance of the system 101 began to deteri- 
orate starting in the eleventh hour. Similarly, by ob- 
serving the proportion of dark gray (dark green in the 



corresponding color figure) in the stacked histo- 
grams, the operator could conclude that many of the 
reports are occurring in processor module SM23. 

Referring now to Fig. 3, display 301 Is identical 
with display 201 except that the horizontal axis 321 is 
divided into five minute intervals. Instead of the one 
hour intervals of horizontal axis 201. This means that 
the stacked histograms projecting from horizontal 
axis 321 will represent five minute periods instead of 
one hour periods. Using this finer grain time division, 
the operator may now discover spikes of report activ- 
ity starting after 1 .5 hours of testing and repeating ap- 
proximately every 20 minutes. 

Inspection of the bar charts at the end of the 
rows, shows that most of the report activity is occur- 
ring in the audit class in band 308 and operations and 
maintenance report band 31 0. According to the length 
of its bar-chart, the most frequently occurring audit 
type names were PORTIA CKTDATA, CDBCOM, 
and ISANBUS. By the same criterion, the most fre- 
quently occurring assert type name was 39999. Re- 
view of the PORTLA, CKTDATA, CDBCOM, ISAN- 
BUS and 39999 rows in display 301 shows a substan- 
tial number of tick marks with the characteristic inclin- 
ation and color of processor module SM23, confirm- 
ing what the bar charts showed. 

If processor modules SM21, SM25, SM47 and 
SM48 are experiencing similar problems as those of 
SM23, only to a lesser degree, a possible system wide 
problem is indicated. If, however, the problems occur- 
ring are isolated to SM23, a localized problem is indi- 
cated. Using the interactive color scale 224 at the left 
of display 301 the tick marks of one or more of the 
processor modules SM21-SM48 can be turned off, 
i.e. not displayed, in order to reveal such other signif- 
icant report patterns within the log-file. 

Display 401 of Fig. 4 displays the performance of 
processor modules SM25 and SM48 alone. Proces- 
sor module SM25 has the lighter gray tick marks, light 
green on a color display, that are more vertically ori- 
ented. Processor module SM48, on the other hand, 
has the darker tick marks, red on a color display, that 
are more horizontally oriented. Processor module 
SM25 has a burst of report activity of various types 
about two and one half hours into the test and a rea- 
sonably steady stream of ISANBUS audit reports 
over the entire 1 5 hours of the test. Processor module 
SM48, on the other hand, has a report pattern that is 
very similar to the report pattern exhibited by proces- 
sor module SM23. This similarity may indicate an in- 
ter-module fault between processor modules SM23 
and SM48. 

Display 401 , with most of the reports turned off, 
exhibits another correlation. There is a definite corre- 
lation between assert row 39999 reports and the 
"waves" of auctfts occurring at the same time as the 
row 39999 reports. A "wave" is indicated by a nearly 
vertical sequence of several types of reports. Addi- 
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tionally, a process was also purged, band 410 row 
type PURGED, and numerous trunk-errors occurred, 
band 412 type CRR. Again, processor module SM23 
had a very similar report pattern, thus further Indicat- 
ing that an inter-module fault occurred between SM23 5 
and SM48. 

Referring now to Fig. 5, the error count secondary 
attribute is selected from the set of attributes 526, 
which is essentially the same as 226 In Fig. 2 but with 
ERRORCNT highlighted instead of SM. The error io 
count secondary attribute is selected to analyze the 
reports because of the large number of audit reports. 
Each audit process checks global data and corrects 
inconsistencies. If such an inconsistency is found, an 
error-count for that process is incremented. Fig. 5 is 
shows the audit reports inclination and gray shade 
coded (to represent their respective colors) by their 
respective ERRORCNT attributes. Since only audits 
have an ERRORCNT attribute, only the audit tick- 
marks are shown with their respective inclinations 20 
and gray shades. The tick-marks of the assert band 
506, operations-and-maintenance band 510, and 
trunk-error band 512 all turn black in shade and vert- 
ical in inclination to indicate that they are not defined 
in this operating mode 25 

Display 501 shows that most audits of band 508 
found only small numbers of errors, as shown by the 
blue tick marks. The exception being the PORTLA au- 
dit, which is the most-frequently occurring one. POR- 
TLA consistently found high numbers of errors in the 30 
log file. This is shown in the corresponding color fig- 
ure by its green tick marks. 

Referring now to Fig. 6, display 601 shows the 
ERRORCODE attributes of the log-file reports. Dis- 
play 601 shows the audit reports inclination and gray 35 
shade coded according to their respective ERROR- 
CODE attributes. It can readily be seen from display 
601 that the error-codes for the majority of audits are 
the same for the entire 15 hours of the test because 
the tick-marks all have the same Inclination angle. 40 
Here, inclination angle within each row Is perhaps 
more effective than gray shade or color because, 
while adjacent error-codes have shades or colors that 
are very dose, they do not have Inclination angles 
that are close. 45 

In display 601, as previously in display 501, the 
PORTLA audit Is an exception. The cross-hatching 
visible is due to multiple tick marks with various inclin- 
ations. This cross hatching pattern Indicates that 
there are multiple problems that triggered this same so 
audit This is also why PORTLA was the most fre- 
quently-occurring audit, as shown by bar graph 640. 

Often, as is the case with this log-file, there are 
many problems. It would therefore make sense to fo- 
cus our attention to those problems that are causing ss 
the most faults. For software faults, the 5ESS as- 
signs an event number to a sequence of related fault 
reports. For example, each occurrence of the assert 



39999 and its audit waves share the same event num- 
ber. This fact allows us to select only those events 
having the greatest number of associated reports. 
Fig. 7 is the same as Fig. 6 but now using selectors. 
A selector is a pop-up window that allows values of an 
attribute to be turned off in the same manner as the 
color scale. Aselectoralso has a bar-chart that shows 
the total number of occurrences for all the values 

In Fig. 7, selector 701 on event-number has its 
values sorted in descending order by count Of those, 
only those values that occur the most frequently are 
left on. This Is accomplished by clicking 707 none and 
using keyboard 109 or mouse 111 for selecting the 
topmost events. This shows only those faults having 
the greatest number of associated reports. Of those, 
we would like to focus our attention on SM23 and 
SM25 because those are the two SMs on which there 
were the most faults. (Although this information was 
shown in a previous figure, this information Is also 
shown by the length of the bars 707 in the SM-selec- 
tor pop-up window 705.) The effect of using selectors 
701 and 705 alters the display such that the tick 
marks corresponding to the selected reports are dis- 
played. 

Referring now to Fig. 8, display 801 Is the same 
as display 701 except for browser window 850. If more 
information is desired to confirm a hypothesis regard- 
ing a particular problem that has been visually ana- 
lyzed, it may be necessary to go back and look at the 
original log-file; to browse through the text of the re- 
port in order to look for additional details that are not 
displayed otherwise. For example, take the occur- 
rence of the first ISANBUS audit at about two and two 
thirds hours into the test, the operator might want to 
look at and around the original report for something 
interesting. Clicking mouse 111 on tick-mark 803 cor- 
responding to the ISANBUS audit pops-up browser 
window 850 with the report from the log-file centered 
in it The color-coding of the lines of text in the log-file 
matches the colors in the color scale. The scroll-bar 
852 In the browser window 850 allows the operator to 
browse among the reports nearby in the log-file. 
Browser window 850 also has a pattern search text 
field 854 where the operator may type one or more al- 
phanumeric characters, such as the keyword IN IT, 
and search forward or backward in the log-file for 
match. 

The displays shown in Figs. 2 through 8, respec- 
tively, preferably use color to help show different as- 
pects 

Referring now to Figs. 1 and 9, the method of ob- 
taining displays 201-801 from the log file will be de- 
scribed. Initially, a log-file of a system Is stored in 
mass storage 120. The log-file is subsequently read 
into memory 115 where it Is processed by processor 
113 according to program 117 into a relational data- 
base of selected portions of the time stamped reports 
that make up the log-file. As the log-file is read in and 
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processed, relations 119, - 119, are stored in memory 
115. For example, the asserts, audits, operations- 
and-maintenance reports, and trunk-error reports 
are four of the relations that are stored. 

Each relation 119, - 119, has a descriptor file s 
which contains the names of its attributes. So, these 
attributes describe a relation. The relations and attri- 
butes are associated as the attributes are read Into 
memory area 1702. The relations identify those attri- 
butes that they use, and store attribute pointers to 10 
each attribute used by the relation. If two relations 
use the same attribute, only one entry is made in area 
1702, and each relation has a pointer to that entry. 
Similarly, as the log-file is read in, the tuples are stor- 
ed in memory area 1704 and the relations identify is 
those tuples that they use and store tuple pointers to 
each. 

Fig. 12 illustrates the data structures stored in 
the attribute area 1702 in detail. First, there is a global 
pool of attribute names 1802 where each attribute 20 
name is associated with a pointer to the named attri- 
bute by means of an AVLtree 1804. Each attribute en- 
try has a name, an associated integer index of the at- 
tribute AVL tree 1 804, a pointer to an AVL tree of val- 
ues 1808 and a pointer-to-value-node-TO-node value 23 
information AVL tree 1806. The AVL tree of values 
1808, which stores all of the values of said attribute, 
either numeric or textual. Each value within AVL tree 
of values 1808, has the value itself is stored, a se- 
quential index of each value is stored, and the number 30 
of occurrences or frequency of each value is stored. 

Attribute AVL tree 1806 also stores for each at- 
tribute a pointer to Attribute-value-node, a 
masked/not masked flag, and a dynamic vector of 
pointers-to-tuples having said attribute. 35 

Referring now to Fig. 1 3, the details of data struc- 
tures stored in the tuple area 1704 will be described. 
A tuple by definition is a set of values of related attri- 
butes, IEEE Std. 100-1992. Each tuple is owned by 
one and only one of the relations 119,- 119, . Each tu- 40 
pie has a pointer back to it owning relation, a time in 
seconds from the beginning of the log-file, a line num- 
ber range in the log corresponding to the message 
that the tuple represents, a mask count (which is nec- 
essary because a tuple may be masked by multiple 45 
selectors, yet only one mask is necessary to prevent 
display of a value), and a vector of pointers-to-Attri- 
bute-value-nodes rather than redundantly storing the 
values themselves. 

Referring to Figs. 10 and 14 r a selector area 1706 so 
of memory 1 1 5 stores data structures used by the se- 
lector windows, as shown in Fig. 7. The selector area 
1 706 stores a mapping of virtual coordinates of attri- 
bute values within the window to physical coordinates 
of data within the d isplay 701 . This Is necessary when 55 
the values are sorted In descending order by count 
With each value is a masked/not masked bit and a 
flag indicating whether the sorting is currently alpha- 



numeric. The virtual coordinates are the coordinates 
of the values in an ascending order, I.e. the position 
coordinates of the value if no sorting were performed 
within the selector window. The actual coordinates 
are the coordinates of the values displayed within the 
selector window after a sort has performed. This 
mapping is necessary in order to be able to reference 
the correct value when selecting a sorted value item 
within a selector window with mouse 111 

Fig. 15 is a diagram 2101 showing the processes 
performed to obtain the data structures just descri- 
bed and to use those data structures to produce a dis- 
play, such as display 201 or display 701. The create- 
relations procedure 2102 creates the relations 119, - 
119) . It operates on a log-file that has been process- 
ed into a relational database form. 

Referring now to Fig. 16, the create-relations pro- 
cedure 2102 starts processing with the first relation 
1 1 9, of relations 1 1 9, - 1 1 9, a nd action 2202 reads the 
descriptor file of the first relation 119, . Next, action 
2204 adds attribute names of the descriptor file to 
global pool of attribute names 1602 and also noting 
which attributes are numeric in character. Afteraction 
2204, action 2206 reads a tuple from the log-file da- 
tabase. Next, procedure 2208 processes a tuple of 
the current relation, as explained below in Fig. 1 7. Af- 
ter action 2208, action 2210 checks to see if there are 
more tuples of the current relation to be processed. If 
the answer is yes, process 2102 returns to action 
2206 to read another tuple of the current relation. If 
the answer is no, that means all the tuples of the cur- 
rent relation have been processed and process 2102 
proceeds to action 2212. Action 2212 checks to see 
if there is another relation of the relations 119, - 119, 
to be created. If the answer is yes, process 2102 re- 
turns to action 2202 and reads the descriptor file of 
a next relation of relations 119, - 119, to be created. 
If the answer is no, that means that process 21 02 has 
created all of the relations 119, - 119, and the process 
2101 can proceed to create display process 2104. 

Referring nowto Fig. 1 7, details of the process tu- 
ple procedure 2208 mentioned above will be descri- 
bed before describing create display process 2104. 
Procedure 2208 starts with a tuple of the current re- 
lation and proceeds to action 2302. At action 2302, a 
value of the current tuple of the relevant attribute is 
added to the global pool of values 1808 for said attri- 
bute and a pointer to this tuple is added to the list of 
tuples 1810. After action 2302, action 2304 adds a 
pointer that points to the current attribute-value node 
in the AVL tree to the current tuple. Next action 2306 
checks to see If a there Is another value of the current 
tuple to be processed. If there is another value to be 
processed, procedure 2208 returns to action 2302 to 
process the next value as It had processed the previ- 
ous value of the current tuple. If there is not another 
value to be processed, procedure 2208 proceeds to 
action 2308. Action 2308 sets the tuple's pointer to 
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point at the current relation as Its owning relation and 
then the processing of this tuple is complete. After 
procedure 2208 has been performed for each tuple in 
each relation 119, - 119, of the relational database 
corresponding to the log file, the result Is the tuple s 
data structure shown in Fig. 1 3. 

Referring now to Fig. 1 8, details of the create-dis- 
play procedure 2104 will be described. This process 
creates a display, such as display 201 on display 
screen 105. Action 2402 creates a color scale selector 10 
along the left side of display 201 , shown in Fig. 2 if col- 
or displays are utilized. Colors blue through red in a 
progression of hues may be assigned based on a dis- 
tribution over unique values of a given attribute. 
These colors correspond to the tick-mark colors as 15 
part of a graphical association technique. Next action 
2404 creates the labels, i.e. the 'names' or symbols 
used in the display, for the current relation corre- 
sponding to the unique values of the primary keys of 
said relation. The labels are the fixed' part of the dis- 20 
play and the remaining portions involve further proc- 
essing of the relations corresponding to the log-file 
and their respective data structures mentioned previ- 
ously. 

Action 2406 is a create plot procedure that is de- 25 
scribed in regard to Fig. 19 below. After action 2406 
Is action 2408, which is a create bars for chart proce- 
dure. Action 2408 is described in regard to Fig. 20 be- 
low. After action 2408 is action 241 0, which checks to 
see if there is another relation that needs to be dis- 30 
played. If there is another relation that needs to be 
displayed, procedure 2104 returns to action 2404 and 
proceeds through procedures 2406 and 2408 for the 
next relation. If there is not another relation to be dis- 
played, then procedure 2104 proceeds to action 35 
2412. Action 2412 is a create time bar procedure, 
which will be explained below in regard to Fig. 21. This 
completes the creation of a display, such as display 
201, on display screen 105. 

Referring now to Fig. 19, the create plot proce- 40 
dure 2406 will be described. Create plot procedure 
2406 is entered with a relation already selected by 
create display procedure 2104. Action 2502 of proce- 
dure 2406 accesses a tuple of the current relation. 
Next, action 2504 adds pointer-to-tuple to list of tu- 45 
pies in quadtree at the point (x,y) determined by the 
tuple's time and the index of the tuple's value Into the 
attribute along the y-axis. Action 2504 uses data from 
the database and the tuple data structures shown In 
Fig. 13. Next, action 2506 checks to see if another tu- so 
pie needs to be accessed for the create plot for chart 
procedure 2406. If there is another tuple that needs 
to be accessed, procedure 2406 returns to action 
2502 to access the another tuple of the current rela- 
tion. If there is not another tuple that needs to be ac- 55 
cessed, all tuples of the current relation have been 
processed for the create plot for chart procedure 2406 
and procedure 2406 proceeds to create bars for chart 



procedure 2408. 

Referring now to Fig. 20, create bars for chart pro- 
cedure 2408 will be described. These bars, bars 214- 
220 on display 201 of Fig. 2, are the horizontal ones 
extending from the right vertical axis of the display. As 
with the previous procedure, create bars for chart pro- 
cedure 2408 is entered with a relation 119, - 11 9| al- 
ready selected. Action 2602 initializes each of the to- 
tals for each bar of the display to zero. After this, pro- 
cedure 2408 proceeds to action 2604. 

Action 2604 checks to see if the current relation 
has the attribute selected for color-coding. If the cur- 
rent relation does not have said attribute, that means 
the current display is of an attribute that the relation 
does not possess and for such a situation no bars are 
displayed. For example, see band 506 of display 501 
in Fig. 5. In this case, the procedure 2408 jumps for- 
ward to action 241 0 of create display procedure 21 04 
shown In Fig. 18. 

If the current relation does have the attribute se- 
lected for color coding, that means that the current 
display Is of an attribute that the relation possesses 
and that one or more bars might be drawn, in which 
case the procedure 2408 proceeds to action 2606. 
Action 2606 access a tuple of the current relation and 
proceeds to action 2608. Action 2608 checks to see 
if the accessed tuple is masked. Atuple is considered 
masked if either the value of the tu pie for the attribute 
being color-coded by has been de-selected by using 
mouse 111 on display 224 of display 201 in Fig. 2, or 
the tuple has a non-zero mask count as shown in Fig. 
13. If the accessed tuple is not masked, procedure 
2408 proceeds to action 2610 which increments the 
total for the bar corresponding to the accessed tuple 
and the procedure 2408 proceeds to action 2612. If 
the accessed tuple is masked, then the procedure 
2408 Jumps forward to action 2612 and the total for 
the corresponding bar is not incremented. Afteraction 
261 0, action 261 2 checks to see if there is another tu- 
ple of the current relation to access. If there is another 
tuple to access, procedure 2408 returns to action 
2606 to access another tuple. If there is not another 
tuple to access, then all of the bars for the current re- 
lation have been created and procedure 2408 pro- 
ceeds to action 2410. 

Action 2410, as mentioned above with regard to 
Fig. 18, loops procedure 2104 back in order to proc- 
ess another relation for chart labels, plots and bars. 
After all of the relations 11 9, - 11 9, have been through 
actions 2402-2410, then the create display procedure 
2104 proceeds to create time bar process 2412. 

Referring now to Fig. 21 , the create time bar pro- 
cedure 2412 will be described. The create time bar 
procedure 2412 is independent of individual relations 
and is taken over all tuples. Action 2702 at the begin- 
ning of procedure 241 2 initializes all time bar totals to 
zero. Next procedure 2412 proceeds to action 2704 
where a value of the attribute that is being color coded 
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by is accessed. Next, action 2706 checks to see if the 
accessed value is masked by the color selector. If the 
accessed value is masked, then this value will not 
contribute to a time bar and the procedure jumps for- 
ward to action 2716, which will be explained below. If 5 
the accessed value Is not masked, then this value will 
contribute to a time bar and procedure 241 2 proceeds 
to action 2708. 

Action 2708 accesses the tuple having the ac- 
cessed value. Next, action 2710 checks the accessed to 
tuple to see if this tuple is masked. If this tuple is 
masked, then the procedure 2412 jumps forward to 
action 2714 and this tuple does not contribute to the 
current time bar. If this tuple is not masked, then pro- 
cedure 2412 proceeds to action 2712 where the cur- 1$ 
rent time bar total is incremented before proceeding 
to action 271 4. The relevant time bar is determined by 
dividing the tuple's time in seconds by the current 
time interval length. 

Action 2714 checks to see if there is another tu- 20 
pie having the accessed value. If there is another tu- 
ple having the accessed value, then procedure 2412 
returns to action 2708 to process said tuple. If there 
is not another such tuple, then procedure 2412 pro- 
ceeds to action 2716. Action 2716 checks to see if 25 
there is another value to process. If there is another 
value to process, procedure 2412 returns to action 
2704 to process this value. If there is not another val- 
ue to process, then procedure 2412 has completed all 
of the time bars and the create display procedure 30 
2104 is completed. At this point, the data for every 
part of the display 201 has been created except for 
the tick marks, which is described in Fig. 25. But, to 
create part of the special display 701, procedures 
2106 and 2108 are needed. 35 

Referring now to Fig. 22, a read log-file process 
2106 will be described. This is a process for use in a 
browser window. Action 2802 reads the log file into 
memory 115. Next, action 2804 initializes a buffer 
pointer at the start of the log-file in memory. Next, ao 40 
tion 2806 examines the character at which the buffer 
pointer is pointing. This examination determines if the 
character is a newtine character or some other char- 
acter and then procedure 2106 proceeds to action 
2808. Action 2608 checks to see if the character the 46 
buffer pointer is pointing to is a newline character. If 
it is not a newline character, the procedure 2106 
jumps forward to action 281 4. If the character the buf- 
fer pointer is pointing to Is a newline character, then 
procedure 2106 proceeds to action 2810. so 

Procedure 2106 reaches action 2810 because a 
new line of text has started as signified by the newline 
character. Action 281 0 changes the newline character 
to the null character to terminate the line of text in 
memory. Next, action 2812 sets the pointer for the S5 
line 1610 to one past the newline character, I.e. at the 
start of the new line of text and proceeds to action 
2814. Action 2814 checks to see if there is another 



character to be examined. If there Is another charac- 
ter to be examined, procedure 2108 returns to action 
2806 to examine another character. Procedure 2106 
will loop back In this manner until the start of each 
new line has been stored in memory 1 1 5 and there are 
no more characters in the log-file to be examined. At 
this point, overaO procedure 2101 proceeds to proce- 
dure 2108. 

Referring now to Fig. 23, a color log file proce- 
dure 2108 will be described. This procedure sets the 
color of the log file text to the same colors as the tu- 
ples displayed on the screen 105 as a visual device 
that confirms to the operator that the log file report 
brought up in a browser window 850, as seen in Fig. 
8, by pointing the pointer 107 and clicking a button of 
the mouse 111 is related to the tick-mark clicked on 
in the display. 

Action 2902 is the first action and this action ac- 
cesses an attribute. Next, action 2904 accesses a re- 
lation. Next, action 2906 accesses a tuple of the ac- 
cessed relation. After action 2906, action 2908 
checks to see if the accessed relation has the ac- 
cessed attribute. If the accessed relation does not 
have the accessed attribute, procedure 2108 pro- 
ceeds to action 2912 which sets the color indices 
1620 corresponding to the line number range for the 
current tuple to white and proceeds to action 2914. If 
the accessed relation does have the accessed attri- 
bute, procedure 2108 proceeds to action 2910 which 
sets color indices 1620 corresponding to the line 
number range for the current tuple to the index of the 
tuple's value In the current attribute and proceeds to 
action 2914. 

Action 2914 checks to see if there is another tu- 
ple of the relation to be accessed. If there is another 
tuple, then the procedure 21 08 returns to action 2906 
to access this other tuple to check for the current at- 
tribute. If there is not another tuple of this relation, 
procedure 2108 proceeds to action 2916 which 
checks to see if there is another relation. If there is an- 
other relation, procedure 2108 returns to action 2904 
to access the relation to check the tuples thereof for 
the attribute. If there is not another relation to check, 
procedure 2108 proceeds to action 2918 to check if 
there is another attribute to be accessed. If there is 
another attribute to be accessed, procedure 2108 re- 
turns to action 2902 to access this other attribute to 
see if it the relations of the current relation have this 
attribute. If there is not another attribute to access, 
that means that all the attributes have been accessed 
and all of the log-file lines have had color coding set 
and stored either to the color of their respective tu- 
ple's values or to white. 

Referring now to Fig. 24, a pick correlation pro- 
cedure 3001 will be described. Pick correlation of 
symbols procedure 3001 Is used to allow the operator 
to interact with the display via the pointer 107 and the 
mouse 111 . Action 3002 converts mouse physical co- 
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ordinates (x.y) to time in seconds, Le. the horizontal 
axis, and an index Into the values of the attribute 
along the y-axis. Next, action 3004 takes the convert- 
ed coordinates (x\y') and searches a quadtree list for 
a list of tuples at said coordinates. After action 3004, s 
action 3006 checks to see if the search found a list of 
tuples at (x\y'). If no list was found, procedure 3001 
Is done and correlation process is finished, i.e. no cor- 
relation resulted. 

If a list of tuples is found, action 3008 accesses 10 
a tuple on the list via a pointer and procedure 3001 
proceeds to action 3010. Action 3010 checks to see 
if the accessed tuple is masked. If it is masked, pro- 
cedure 3001 proceeds to action 3012 which checks to 
see if there is another tuple on the list If there is, pro- is 
cedure 3001 returns to action 3008 to access and 
check for masking of this tuple. If there is not another 
tuple, procedure 3001 terminates. If the tuple ac- 
cessed by action 3008 is not masked, the procedure 
3001 proceeds from action 3010 to action 3014. Ac- 20 
tion 3014 is the desired result, from the operators 
point of view, for action 3014 interactively scrolls a 
browser window 850 to display the report in the log- 
file that corresponds to the tick mark 803 clicked on 
with mouse 111 25 

Referring now to Fig. 25, procedure 3101 of plot- 
ting of tuples on the screen 105 will be described. Ac- 
tion 3102 accesses a tuple on the display to be plot- 
ted. Next, action 3104 checks to see If this tuple is 
masked, if this tuple is masked, procedure 3101 30 
jumps to action 3 1 1 4 to search for another tuple. If this 
tuple is not masked, procedure 3101 proceeds to ac- 
tion 31 06. Action 31 06 sets the color according to the 
index of the tuple's value into the values of the attri- 
bute being color-coded by. Next, action 3108 determi- 35 
nes the (x,y) position based upon the tuple's time and 
its index into the values of the attribute being used 
along the y-axis. Next action 3110 sets the angle of 
inclination of a to-be-drawn tick-mark according to the 
index of the tuple's value Into the values of the attri- 40 
bute being angle-coded by. Next, action 3112 draws 
the inclined and color coded line centered at the (x,y) 
position on screen 105. After, action 3112, procedure 
3101 proceeds to action 3114 which checks to see if 
there is another tuple to possibly plot If there Is an- 45 
other tuple, procedure 3101 returns to action 3102 for 
this next tuple. If there is not another tuple, all of the 
tuples have been plotted on the screen 105 and the 
process 3101 is completed. 

Referring back to Fig. 15, procedure 2110 is the so 
run program process, which forms various displays 
from all of the graphical data that has been created 
and stored by procedures 2102, 2104, 2106, and 
2108. In addition, the run program procedure 2110 
uses procedures 3001 and 3101 to provide the oper- 55 
a tor with an interactive graphical display for analyzing 
a log-file. 

An apparatus according to the present invention 



enables an operator to quickly find and isolate inter- 
esting messages within a processor system, even a 
distributed processor system. Further, because the 
interesting messages are discovered so rapidly, the 
invention enables the operator to find second-level 
messages, some of which might not be discoverable 
with the previous text based techniques. 

While the invention has been particularly illu- 
strated and described with reference to preferred em- 
bodiments thereof, it will be understood that various 
changes in form, details, and applications may be 
made therein. For example the invention could be 
used with a distributed computer system instead of a 
distributed switching processor system. 



Claims 

1. Apparatus having means for originating a plural- 
ity of time-stamped messages, each message 
having a set of characteristics and means for vis- 
ually displaying a plurality of symbols, character- 
ized in that 

each symbol corresponding to a respec- 
tive message of said plurality of messages; 

each symbol having an appearance that 
varies according to a characteristic of its respec- 
tive message; and 

each symbol having a position that is de- 
termined by the time-stamp and a second char- 
acteristic of its respective message. 

2. The apparatus according to claim 1, wherein val- 
ues of said characteristic are ordered. 

3. The apparatus according to claim 1 , wherein: 

each symbol is a line-segment of varying 
inclination and varying color. 

4. The apparatus according to claim 1 , wherein: 

each symbol Is a line-segment varying in 
inclination, color and visual texture. 

5. The apparatus according to claim 1 , wherein: 

each symbol is a geometric shape varying 
in color. 

6. The apparatus according to claim 1 , wherein: 

each symbol is a geometric shape varying 
in visual texture. 

7. The apparatus according to claim 1 , wherein: 

each symbol is a geometric shape varying 
in color and visual texture. 

8. The apparatus according to claim 1 , further char- 
acterized by means for displaying the message 
corresponding to any symbol. 
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9. The apparatus according to claim 8, further char- 
acterized by means for searching the plurality of 
messages for a textual pattern. 

1 0. The apparatus according to claim 1 , further char- 5 
acterized by means for displaying a total of occur- 
rences of messages of a specific type. 

11. The apparatus according to claim 10, wherein 

said time interval is adjustable. 10 

12. The apparatus according to claim 1, further char- 
acterized by means for displaying a total of all 
messages time stamped within a time interval. 

15 

13. The apparatus according to claim 12, wherein 
said time interval is adjustable. 

14. The apparatus according to claim 1 , further char- 
acterized by means for turning off the displaying 20 
of all symbols except those having a characteris- 
tic that they are from a selected module. 

15. The apparatus according to claim 14, wherein 

said selected module is a processor module. 25 

16. The apparatus according to claim 1, further char- 
acterized by means for displaying a selector win- 
dow that allows selected values of an attribute to 

not be displayed. 30 

17. Apparatus having a processor, a random access 
memory, a mass storage device having a plurality 
of unprocessed log file messages stored therein, 

a relational data base process performed by said 35 
processor to process said plurality of unpro- 
cessed log file messages into a set of relations 
stored in said random access memory, character- 
ized by 

display means for visually displaying non- 40 
textual geometric representations of said rela- 
tions derived from said plurality of log file mes- 
sages. 

18. Apparatus for visually presenting a log file having 45 
a plurality of time-stamped messages, each mes- 
sage having a set of characteristics, character- 
ized In that graphical techniques are employed to 
visually distinguish between characteristics of 
said messages. go 

19. A method for analyzing a plurality of time- 
stamped messages originated by a system, each 
message having a set of characteristics, charac- 
terized by 55 

visually displaying a plurality of symbols, 
each symbol corresponding to a respective mes- 
sage of said plurality of messages, each symbol 



having an appearance that varies according to a 
characteristic of its respective message; and 

locating each symbol at a position that is 
determined by its respective time-stamp and a 
second characteristic of its respective message. 
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